security for virtual server environments
TRANSCRIPT
Trend Micro Channel ConfidentialJune 2010
Veli-Pekka KusminPre-Sales Engineer
Security for Virtual Server EnvironmentsTrend Micro Core Protection for Virtual Machines
Trend Micro Deep Security
Copyright 2010 - Trend Micro Inc.
Security challenges in Virtual Environment
• Datacenter trends
• Securing VMs
– Traditional approach
– Problems
June-2010 2Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Trends in the Datacenter
3
Physical
Virtualized
Cloud
Servers under pressure
Servers virtual and in motion
Servers in the open
June-2010 3Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Securing Virtual Servers the Traditional Way
App
OS
Network
IDS / IPS ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS: Network-based device or
software solution
June-2010 4Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Virtual Machines Need Specialized Protection
Same threats in virtualized servers
as physical.
New challenges:
1. Dormant VMs
2. Resource contention
3. VM Sprawl
4. Inter-VM traffic
5. vMotion
+
June-2010 5Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Problem 1:
Dormant VMs are unprotected
Dormant VMs includes VM templates and backups:
• Cannot run scan agents yet still can get infected
• Stale AV signatures
App
OS
ESX Server
App
OS
App
OS
AppAV AppAV AppAVApp
OS
App
OS
AppAV AppAV
Dormant VMs Active VMs
June-2010 6Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Problem 2:
Full System Scans
ESX Server
OS
AppAVTypical AV
Console
3:00am Scan
Resource Contention with Full System Scans
• Existing AV solutions are not VM aware
• Simultaneous full AV scans on same host
causes severe performance degradation
• No isolation between malware and anti-malwareJune-2010 7Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Problem 3:
VM Sprawl
ESX Server
Managing VM Sprawl
• Security weaknesses replicate quickly
• Security provisioning creates bottlenecks
• Lack of visibility into, or integration with, virtualization
console increases management complexity
App
OS
AppAV
Dormant Active New
June-2010 8Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Problem 4:
Inter-VM Traffic
Inter-VM traffic
• NIDS / NIPS blind to intra-VM traffic
• First-generation security VMs require intrusive vSwitch
changes
OS
AppAV
OS
AppAV
OS
AppAV
OS
AppAV
Network
IDS / IPSvSwitch vSwitch
Dormant Active
June-2010 9Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Problem 5:
VM Mobility
vMotion & vCloud:
• Reconfiguration required: cumbersome
• VMs of different sensitivities on same server
• VMs in public clouds (IaaS) are unprotected
OS
AppAV
OS
AppAV
Network
IDS / IPSvSwitch vSwitch
Dormant
OS
AppAV
Active
June-2010 10Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
The Solution
• VMware VMsafe
• The Trend Micro approach
June-2010 11Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Introducing VMsafe
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Security VMFirewall
IDS / IPS
Anti-Virus
Integrity
Monitoring
– Protect the VM by inspection of virtual components
– Unprecedented security for the app & data inside the VM
– Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.
June-2010 12Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
VMsafe™ APIs
CPU/Memory Inspection• Inspection of specific memory pages
• Knowledge of the CPU state
• Policy enforcement through resource allocation
Networking• View all IO traffic on the host
• Intercept, view, modify and replicate IO traffic
• Provide inline or passive protection
Storage• Mount and read virtual disks (VMDK)
• Inspect IO read/writes to the storage devices
• Transparent to device & inline with ESX Storage stack
June-2010 13Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
- Firewall
- IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
The Trend Micro Approach
ESX Server
Security VMDormant
Comprehensive, coordinated protection for all VMs
• Local, agent-based protection in the VM
• Security VM that secures VMs from the outside
• Multiple protection capabilities
• Integrates with VMware vCenter and VMsafe
VMsafe APIs
June-2010 14Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
The Solution 1
• Trend Micro
Core Protection for
Virtual Machines
June-2010 15Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Anti-Malware Scanning VM - TM Core Protection for VMs
VMsafe APIs
• Anti-malware scanning for target VMs from outside
• Integrates VMsafe VDDK APIs to mount VM disk files
• Full scans of dormant & active VMs from scanning VM
• Immunizes the protection agent from disruptive activities
Scanning
VMs
VMsafe APIsVMsafe APIs
June-2010 16Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Trend Micro Core Protection for Virtual Machines
More Protection
• First virtualization-aware anti-malware product in the market
• Secures dormant and active VMs efficiently
• New VMs auto-scanned on creation and auto-assigned to a
scanning VM
• Supports VI3 and vSphere 4 (needs vCenter)
Less Complexity
• Flexible Management: Through standalone web console, as a plugin to
Trend Micro OfficeScan or through VMware vCenter
• Flexible Configuration: Can be configured with multiple scanning VMs
on any ESX/ESXi (or physical) server
• Flexible Deployment: CPVM can be setup to co-exist with OSCE or
competitive products if necessary (not ideal*)
June-2010 17Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.June-2010 18Trend Micro Channel Confidential
Core Protection for Virtual Machines
Copyright 2010 - Trend Micro Inc.
CPVM System Requirements
June-2010 19Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.June-2010 20Trend Micro Channel Confidential
Core Protection for Virtual Machines
• While server virtualization increases efficiency in the data center, it also
challenges the security of the IT environment. Traditional security imported
from the physical world cannot fully protect virtual environments which are
particularly vulnerable when virtual machines are dormant or offline as they
are unable to protect themselves with a virus scan agent and signature
updates. Also, resource-intensive security operations such as scheduled full
system scans can significantly degrade the performance of the host and
render the security ineffective, especially when initiated concurrently on
multiple virtual machines. To fully realize the cost and productivity
advantages of virtualization, enterprises need content security that is
architected specifically to secure today’s highly virtualized datacenter.
• Trend Micro™ Core Protection for Virtual Machines enables enterprises to
maximize the economic benefits of virtualization without compromising the
security of their datacenter. Specifically designed for VMware ESX/ESXi
environments, this virtualization-aware solution leverages the VMsafe APIs
from VMware to secure both active and dormant virtual machines. Layered
protection uses dedicated scanning virtual machines coordinated with real-
time agents within each virtual machine.
Copyright 2010 - Trend Micro Inc.
The Solution 2
• Trend Micro
Deep Security
June-2010 21Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Intrusion
Defense
Intrusion
Defense
Intrusion Defense VM - TM Deep Security
VMsafe APIs
Intrusion
Defense
• Intrusion Defense provides IDS/IPS & firewall protection
• Integrates VMsafe-NET APIs (firewall & IDS/IPS)
• Enforces security policy
• Newly emerging VMs are automatically protected
VMsafe APIsVMsafe APIs
June-2010 22Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Trend Micro Deep Security Modules
Deep Packet Inspection
Log InspectionIntegrity Monitoring
Firewall
• Centralized management of server
firewall policy
• Pre-defined templates for common
enterprise server types
• Fine-grained filtering: IP & MAC
addresses, Ports
• Coverage of all IP-based protocols:
TCP, UDP, ICMP, IGMP …
Enables IDS / IPS, Web App Protection,
Application Control, Virtual Patching
Examines incoming & outgoing traffic for:
• Protocol deviations
• Content that signals an attack
• Policy violations.
• Collects & analyzes operating system
and application logs for security
events.
• Rules optimize the identification of
important security events buried in
multiple log entries.
• Monitors critical files, systems and
registry for changes
• Critical OS and application files (files,
directories, registry keys and values)
• Flexible, practical monitoring
through includes/excludes
• Auditable reports
June-2010 23Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Firewall
Decreases the attack surface of physical and virtual servers
• Centralized management of server firewall policy
• Pre-defined templates for common enterprise server types
• Virtual machine isolation
• Fine-grained filtering
– IP & MAC addresses, Ports
• Coverage of all IP-based protocols
– TCP, UDP, ICMP, …
• Coverage of all frame types (IP, ARP, …)
• Prevents Denial of Service (DoS) attacks
• Design policies per network interface
• Detection of reconnaissance scans
24June-2010Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Deep Packet Inspection
IDS/IPS
– Vulnerability rules: shield known
vulnerabilities from unknown attacks
(virtual patching)
– Exploit rules: stop known attacks
– Smart rules: Zero-day protection from
unknown exploits against an unknown
vulnerability
– Microsoft Tuesday protection is
delivered in synch with public
vulnerability announcements
– On the host/server (HIPS)
Web Application Protection
– Enables compliance with PCI DSS 6.6
– Shield vulnerabilities in custom web
applications, until code fixes can be
completed
– Shield legacy applications that cannot be
fixed
– Prevent SQL injection, cross-site scripting
(XSS)
Application Control
– Detect suspicious inbound/outbound traffic
such as allowed protocols over non-
standard ports
– Restrict which applications are allowed
network access
– Detect and block malicious software from
network access
25June-2010Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Integrity Monitoring
Monitors files, systems and registry for changes
• Critical OS and application files (files, directories, registry keys
and values, etc.)
• On-change, on-demand or scheduled detection
• Extensive file property checking,
including attributes (PCI 10.5.5)
• Monitor specific directories
• Flexible, practical monitoring through
includes/excludes
• Auditable reports
Useful for:
– Meeting PCI compliance
– Alerting on errors that could
signal an attack
– Alerting on critical system changes
26June-2010Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Log Inspection
Getting visibility into important security events buried
in log files
– Collects & analyzes operating system
and application logs for security events
– Rules optimize the identification of
important security events buried
in multiple log entries
– Events are forwarded to a SIEM
or centralized logging server for
correlation, reporting and archiving
Useful for:
– Suspicious behavior detection
– Collection of security-related administrative
actions
– Optimized collection of security events across your
datacenter
– Advanced rule creation using OSSEC rule syntax27June-2010Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Deep Security: Platforms protected
28
• Windows 2000, Windows 7
• Windows XP, 2003 (32 & 64 bit)
• Vista (32 & 64 bit)
• Windows Server 2008 (32 & 64 bit)
• HyperV (Guest VM)
• 8, 9, 10 on SPARC
• 10 on x86 (64 bit)
• Solaris 10 partitions
• Red Hat 3
• Red Hat 4, 5 (32 & 64 bit)
• SuSE 9, 10
• VMware ESX Server (Guest VM)
• Virtual Center integration
• XenServer Guest VM
• HP-UX 11i v2
• AIX 5.3Integrity Monitoring
& Log Inspection
modules
June-2010 28Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Deep Security 7.0 - Virtual Appliance
(vSphere 4 VMsafe based)
29
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Virtual Appliance
Firewall
IDS / IPS
– Protect the VM by inspection of virtual components
– Secures VMs from the outside, no changes required to VM
– Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.
– Virtual Center integration for VM discovery & synchronization
June-2010Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
VMware vSphere 4
VMware
vCenterDeep Security
Virtual Appliance*
Coordinated Security Approach
• Agent Disappears (removed / reverted to previous snapshot)Coordinated Security Approach
• Agent Disappears (removed / reverted to previous snapshot)
• Virtual Appliance auto-protects VM
* VMware vSphere 4
VMsafe API based solution
Deep Security 7.0 Virtual Appliance
Trend Micro Channel Confidential June-2010 30
Copyright 2010 - Trend Micro Inc.
Deep Security 7.0 Virtual Appliance
Protection
Modules
Supported Description
Firewall Yes • Transparent to the VM
• Security policies can be assigned on a
per network interface basis
• Auto-enforce FW policies if Agent in VM
is offline or no longer running
Firewall & DPI Yes • Full DPI support (IDS/IPS, Web App
protection, App Control)
• Auto-enforce DPI policies if Agent in VM
is offline or no longer running
Integrity Monitoring No • Requires Agent in VM
Log Inspection No • Requires Agent in VM
Trend Micro Channel Confidential June-2010 31
Copyright 2010 - Trend Micro Inc.June-2010 32Trend Micro Channel Confidential
Deep Security 7.0 Components
Security Center
Alerts
Security
Profiles
Security
UpdatesReports
Deep Security
Agent
Deep Security
Virtual Appliance
Deep Security
Manager
Copyright 2010 - Trend Micro Inc.June-2010 33Trend Micro Channel Confidential
Deep Security 7.0
• Enterprises are increasingly online and data-centric, and no matter what the
purpose—connecting partners, personnel, suppliers, or customers—
applications face a growing danger of cyber attacks. These targeted threats
are greater and more sophisticated than ever before, and data security
compliance becomes more stringent every day. Your company needs
uncompromising security that enables you to modernize your datacenter
with virtualization and cloud computing without reducing performance.
• Trend Micro delivers streamlined, integrated products, services, and
solutions that cost-effectively protect sensitive data and minimize risk. Deep
Security is comprehensive server and application protection software that
enables physical, virtual, and cloud computing environments to become
self-defending. Whether implemented as software, virtual appliance, or in a
hybrid approach, this solution minimizes overhead, streamlines
management, and strengthens transparent security for virtual machines.
Deep Security also addresses a wide range of compliance requirements,
including six major PCI compliance requirements with web application-layer
firewall, IDS/IPS, file integrity monitoring, and network segmentation.
Copyright 2010 - Trend Micro Inc.
An Example
• Stopping Conficker
June-2010 34Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
How It Works: Stopping Conficker
ESX Server
Security VM- Firewall
- IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
Dormant
• Firewall: Limits VMs accessing a VM with vulnerable service
• IDS/IPS: Prevent MS008-067 exploits
• Anti-Malware: Detects and cleans Conficker
• Integrity Monitoring: Registry changes & service modifications
• Log Inspection: Brute force password attempts
VMsafe APIs
InfectedActive
June-2010 35Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Summary
• Trend Micro Core
Protection for VMs 1.0
• Trend Micro
Deep Security 7.0
June-2010 36Trend Micro Channel Confidential
Copyright 2010 - Trend Micro Inc.
Available from Trend Micro
June-2010 37Trend Micro Channel Confidential
Trend Micro
Core Protection
for VMs 1.0
Trend Micro
Deep Security 7.0
Trend Micro
Deep Security 7.5
– Anti-malware protection for
VMware virtual environments
– Firewall, IDS/IPS, Integrity
Monitoring & Log Inspection
– Runs in VMs with vCenter
integration
– Virtual Appliance complements
agent-based protection
– CPVM technology integrated into
Deep Security as an anti-malware
module
TODAY
Q3
2010
Copyright 2010 - Trend Micro Inc.
Available from Stallion
June-2010 38Trend Micro Channel Confidential
Trend Micro
Core Protection
for VMs 1.0
Trend Micro
Deep Security 7.0
– Prices and evaluation licenses
– Demonstrations
– Prices and evaluation licenses
– Demonstrations
TODAY
Copyright 2010 - Trend Micro Inc.June-2010 39Trend Micro Channel Confidential
Demo
Copyright 2010 - Trend Micro Inc.Sep 2007 40Trend Micro Channel Confidential
Veli-Pekka KusminPre-Sales Engineer
Trend Micro Baltics & Finland
Porkkalankatu 7 A, 5th floor
FI-00180 Helsinki
Finland
Telephone +358 9 5868 620
Direct +358 9 5868 6212
Fax +358 9 753 1098
Mobile +358 40 596 7181
http://www.trendmicro-europe.com